Nmap Announce mailing list archives
RE: UDP port scanning...
From: "Ofir Arkin" <ofir () packet-technologies com>
Date: Thu, 10 Feb 2000 14:21:15 +0200
Guys you really should read the CHANGES file :P Fyodor have written there in the CHANGES for BETA 13: "I made NMAP smarter about detecting filtering during UDP, XMAS , ...." So i was curious and emailed him, and the answer was that if above a certain number of ports ( very high, above 1000) no PORT UNREACHABLE message was received than the UDP protocol must be filtered. If a REJECT rule is defined for a UDP port this is another indication for a port which is filtered since we will receive an ICMP error message indicatig this. A simplier method for checking if the UDP protocol is filtered is to send a UDP datagram to a port which is certainly closed, aka not running any service, port 0, port 65535 or which ever port you feel will do the work and not be obvious for detection, than if you do not receive the ICMP Port unreachable message from this closed port you can assume a filtering device is filtering th Traffic with a DROP rule. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Ofir Arkin Tel: 972-3-5587001 Security Q&A Manager Fax: 972-3-5587003 Packet Technologies http://www.packet-technologies.com ofir () packet-technologies com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -----Original Message----- From: antirez [mailto:antirez () invece org] Sent: Thursday, February 10, 2000 12:35 PM To: nmap-hackers () insecure org Subject: Re: UDP port scanning... On Thu, Feb 10, 2000 at 10:23:42AM +1100, Darren Reed wrote:
I must have written my original email in French - it seems like only 1 in 10 people (or therebaouts) actually understood what I wrote. Or maybe the 1:10 ratio reflects the number of script kiddies on this list ;-) Darren In some mail from Simple Nomad, sie said:Yes but if the firewall or router is simply dropping the packets (common with filter-based rules) then all UDP ports will show up as open, when
in
fact they are not.
I think that a 'script kiddies' work arround may be: if nmap found all UDP ports open print 'Warning, seems that all UDP ports are open, maybe that outgoing type 3 ICMP or ingoing UDP packets are filtered, bla bla'. antirez -- Salvatore Sanfilippo, Developer, Linuxcare, Inc. +39.049.8024648 tel, +39.049.8036484 fax antirez () linuxcare com, http://www.linuxcare.com/ Linuxcare. Support for the revolution.
Current thread:
- UDP port scanning... Darren Reed (Feb 08)
- Re: UDP port scanning... Simple Nomad (Feb 09)
- how to know scan is correct? Reinoud Koornstra (Feb 09)
- Re: how to know scan is correct? Simple Nomad (Feb 09)
- Re: UDP port scanning... Darren Reed (Feb 09)
- Re: UDP port scanning... antirez (Feb 10)
- RE: UDP port scanning... Ofir Arkin (Feb 10)
- how to know scan is correct? Reinoud Koornstra (Feb 09)
- Re: UDP port scanning... Simple Nomad (Feb 09)
- <Possible follow-ups>
- Re: UDP port scanning... Simple Nomad (Feb 10)
- Re: UDP port scanning... Rob Quinn (Feb 11)